diff options
| author | bors[bot] <26634292+bors[bot]@users.noreply.github.com> | 2020-08-26 06:46:15 +0000 |
|---|---|---|
| committer | GitHub <[email protected]> | 2020-08-26 06:46:15 +0000 |
| commit | e706748e751a462d81a30de09bebf5ab27e696c2 (patch) | |
| tree | 3d4fb8152995e3265a2a4635149ba9d87583e9f7 | |
| parent | cab2b5f909e3322ae7bdbe7ab9a356e80b6ecc2c (diff) | |
| parent | 2f1958b98162c4728de90c0bd4ce2b763df9c3c3 (diff) | |
Merge #351
351: Fix HSTS header r=48d90782 a=antonydevanchi
Fix HSTS header publish by default and can't overwrite from PHP.
— Serve an HSTS header on the base domain for HTTPS requests:
—— The `max-age` must be at least _31536000_ seconds (1 year).
—— The `includeSubDomains` directive must be specified.
—— The `preload` directive must be specified.
Reference: https://hstspreload.org
Co-authored-by: antonydevanchi <[email protected]>
| -rw-r--r-- | service/http/service.go | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/service/http/service.go b/service/http/service.go index b260008c..ba0c4b1c 100644 --- a/service/http/service.go +++ b/service/http/service.go @@ -6,6 +6,13 @@ import ( "crypto/x509" "errors" "fmt" + "io/ioutil" + "net/http" + "net/http/fcgi" + "net/url" + "strings" + "sync" + "github.com/sirupsen/logrus" "github.com/spiral/roadrunner" "github.com/spiral/roadrunner/service/env" @@ -14,12 +21,6 @@ import ( "github.com/spiral/roadrunner/util" "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" - "io/ioutil" - "net/http" - "net/http/fcgi" - "net/url" - "strings" - "sync" ) const ( @@ -264,7 +265,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) { } if s.https != nil && r.TLS != nil { - w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains") + w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload") } r = attributes.Init(r) |